PURPOSE

This procedure sets out the requirements for privacy across RTL.

This procedure applies to all employees. Any employee of RTL found to have breached this procedure may be subject to disciplinary action.

The objectives of this procedure are to treat personal information in accordance with the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs). Any personal information outside Australia, will be treated in accordance with the applicable law.

PROCEDURE

• WHAT PERSONAL INFORMATION DO WE COLLECT?

Personal information is any information (including an opinion) which can be used to identify an individual. Sensitive information is a subset of personal information which includes information about an individual’s race or ethnicity, political or religious beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences, criminal record and health information.

Personal information will not be shared, sold or disclosed by RTL other than in accordance with this procedure,

without an individual’s permission, or in accordance with the Privacy Act.

RTL only collects, holds, uses or discloses personal information where it is reasonably necessary to:

• Enable RTL to deliver services or information to individuals or to an organisation;
• Maintain or establish a business relationship, including as a customer, supplier, contractor, or employee;
• Enable RTL to assist to provide services; or to improve, and better understand preferences in respect of RTL services; and
• Fulfil its legal or regulatory obligation.

RTL generally collects personal information directly from the individual to whom it relates, except where that individual has consented to RTL collecting the personal information from a third party, or where the law otherwise permits RTL to do so, or where it is unreasonable or impracticable to collect it directly.

RTL only collects sensitive information directly from individuals with their consent, or where required, it is authorised or otherwise permitted to collect the information from a third party by law.

Personal information may also be collected from, and disclosed to, third parties in the course of business activities. For example, during a recruitment process steps may be taken to verify the accuracy and completeness of the information and, in appropriate circumstances due to the nature of the available position, health checks, credit checks or criminal records checks may be carried out.

An individual has the option, where lawful and practicable, not to be identified when communicating or entering into transactions with RTL (including by the use of a pseudonym). However, in most circumstances, it will be impracticable for RTL to do business with an individual or provide the services required by an individual unless personal information is provided.

1. PURPOSES FOR WHICH WE COLLECT, HOLD, USE AND DISCLOSE PERSONAL INFORMATION

Personal information will be stored in RTL’s systems for immediate business and administration purposes, as detailed above, and may be used or disclosed for the purpose for which it was collected, or for a related purpose which someone may reasonably expect.

Sensitive information will only be disclosed for a purpose which is directly related to the purpose for which it was collected.

Personal information may be disclosed between related bodies corporate within RTL and used by those entities for the same purposes for which the collecting company is entitled to use it.

RTL may also disclose personal information (including overseas recipients):

• to third-party service providers and business associates, including our alliance partners, who provide services in connection with its business.

• with the individuals consent;

• where required, authorised or permitted to do so by law;

• to a person authorised to act on the individual’s behalf; or

• as required by law and specifically to any government agency if RTL believes in good faith that it must do so to comply with the law or that doing so is required to prevent, detect, investigate or remedy improper conduct potentially affecting it.

2. WHERE RTL HOLDS OR TRANSFERS PERSONAL INFORMATION OUTSIDE AUSTRALIA, IT WILL MEET THE SAFEGUARDS SET OUT IN THE PRIVACY ACT. WHERE PERSONAL INFORMATION IS HELD OR DISCLOSED OVERSEAS, ALL REASONABLE STEPS WILL BE TAKEN TO ENSURE THAT THE RECIPIENT WILL HANDLE THE INFORMATION IN A MANNER CONSISTENT WITH THE PRIVACY ACT. CONFIDENTIALITY AND SECURITY

RTL is committed to:

• Safeguarding all personal information provided to RTL;

• Ensuring that personal information remains confidential and secure; and

• Taking all reasonable steps to ensure that personal privacy is respected.

RTL maintains physical, electronic and procedural safeguards to protect personal information from misuse, interference, unauthorised access, modification or disclosure, and loss or corruption by computer viruses and other sources of harm. Access to personal information is restricted to those employees, subsidiary companies or third parties who need to know that information.

In accordance with the Privacy Act, RTL is required to notify you and the Australian Information Commissioner if it becomes aware of a data breach (such as an unauthorised disclosure of or unauthorised access to data, or a loss of data) where that breach is reasonably likely to result in serious harm. This will apply even if your data is being held offshore.

3. ACCESSING OR CORRECTING PERSONAL INFORMATION

In most circumstances, RTL will make available to an individual upon their request any personal information held about them. Requests to access personal information may be made at any time.. RTL will respond to a request within a reasonable time, and in the manner requested, unless there is a legal or administrative reason preventing RTL from doing so. In some cases, a reasonable fee may be charged for providing access.

Reasonable steps shall be taken to ensure the personal information held is accurate, complete and up to date, relevant and not misleading before it is used or shared.

An individual may request that personal information be corrected or supplemented if the individual believes the information held by RTL is inaccurate or misleading. Where RTL agrees, the change will be made. Where RTL

disagrees, RTL will advise the individual and include a notation on the record that the information’s accuracy is

disputed.

If personal information changes, or if an individual believes that the personal information held by RTL is no longer accurate or complete or has been the subject of a data breach, the individual should contact privacy@rtl.com.au

4. DESTRUCTION AND DE-IDENTIFICATION OF PERSONAL INFORMATION

Records management policies govern the archiving and destruction of records which include personal information.

If unsolicited personal information is received, reasonable steps will be taken to destroy or de-identify that personal information.

5. WEBSITES

RTL’s website provides hyperlinks to websites owned and controlled by others. RTL is not responsible for the

privacy practices of these websites. By accessing or using RTL’s website, an individual consents to the collection, use and disclosure of personal information as described in this procedure, as amended from time to time.

6. COMPLAINTS

If an individual has a question, concern, or complaint regarding the way in which personal information is handled, or believes that RTL has breached its obligations under the Privacy Act or has failed to comply with this procedure, they should make a complaint in writing to privacy@rtl.com.au

RTL will review and respond to any complaint as soon as possible, and generally within 30 days of receiving it.

If an individual is not satisfied with RTL’s response, the complaint can be referred to the Office of the Australian Information Commissioner (OIAC). The OAIC will generally consider a complaint if the individual has first written to RTL and given RTL a reasonable opportunity to resolve the complaint (usually 30 days).